Method, program and system for automatically detecting malicious computer network reconnaissance

ABSTRACT

A detection and response system that generates an Alert if unauthorized scanning is detected on a computer network that includes a look-up table to record state value corresponding to the sequence in which SYN, SYN/ACK and RST packets are observed. A set of algorithms executed on a processing engine adjusts the state value in response to observing the packets. When the state value reaches a predetermined value indicating that all three packets have been seen, the algorithm generates an Alert.

BACKGROUND OF THE INVENTION

1. Technical Field

The present invention relates to computer networks in general and, inparticular, to an intrusion detection system that protects such networksfrom malicious attacks launched by hackers.

2. Prior Art

The worldwide web (WWW) better known as the Internet is fast becomingthe premier computer network for communicating both private and publicinformation. The Internet is an open network that can be accessed byanyone using primarily a protocol called TCP/IP (Transmission ControlProtocol/Internet Protocol) or other protocols. Because of its opennesscomputers on private networks (intranets) are susceptible to maliciousattacks by hackers. Computers have become the main instrument ofcommunication for business and government agencies. For example, manybusiness and government agencies use computers and computer networks tolink remote offices, share data and other resources among employeeswithin an office or campus, communicate with customers via electronicmail, reach new customers via electronic mail, provide information viaweb sites, etc.

Because businesses, governments and individuals rely heavily oncomputers and the Internet malicious attacks could result in catatrophiceconomic loss or embarrassment. As a consequence computer security hasbecome a major concern of business, government and individuals using thecomputer as a major communication vehicle.

There are several ways in which hackers may elect to inflict maliciousattacks on computers. One way is to disrupt computers' operation bydisseminating programs that take unauthorized control of a computer'soperating system. Another way is to discover confidential informationabout assets in the computer or a subnet in the network for the purposeof deleting data, modifying date and/or copying data. Any of theseactions could adversely affect a home, business, or governmental agencynetwork.

To carry out these attacks a hacker or attacker may wish to obtaininformation by corrupting a normal Transmission Control Protocol (TCP)session-opening handshake. In this regard, the attacker may initiate aTCP session by sending a Synchronize (SYN) packet from User Space (thatis, User as opposed to Kernel mode in the Operating System). Theresulting SYN packet is not different from legitimate traffic; so itwill pass firewalls and be accepted by the victim or scanned host, ifthe TCP Destination Port is open (that is, the host is programmed toreply to TCP SYN packets arriving with the given port number).Therefore, open ports on the scanned host will reply with a TCP packetwith both the SYN and Acknowledgment (ACK) bits in the TCP header set(equal to 1 as opposed to 0). This reply is called a SYN/ACK. A portthat is not programmed to respond is called closed, and typically thehost will respond with a TCP packet in which the Reset (RST) bit hasbeen set. Upon receiving a RST response, the attacker will typicallyrecord (possibly with automatic software freely available on theInternet) the fact that a given TCP port at a given Internet Protocol(IP) Destination Address is closed, or simply do nothing. However, ifthere is a SYN/ACK response from the victim, the attacker will know thathe has found an open port that may be susceptible later to an actualattack. To try to avoid detection by some logging tools and suspicion bythe victim host, the attacker might immediately responds with a RSTpacket. Another reason to respond with a RST quickly is to ensure thatthe victim's computer does not crash due to an excessive number ofhalf-open connections. In doing so the attacker does no damage to thescanned computer and can continue to scan, thereby fulfilling the goalsof attacker reconnaissance. At the same time, the goals of the subnetadministrator include avoiding release of information about open portsand applications running in the subnet.

The prior art has recognized the importance of computer networks and hasprovided intrusion detection systems to protect them from hackers.Examples of prior art intrusion detection systems can be found in U.S.Pat. Nos. 6,477,651; 6,363,489; 6,405,318; 6,275,942; 5,991,881 and6,282,546. Even though the respective intrusion detection systemsdescribed in each of the patents works well for its intended purpose,for the most part most require the insertion of a marker into thenetwork traffic in order to detect surreptitious activities, such asscanning, or reconnaissance in the network. In several situations it maybe difficult to use the marker. Therefore, an alternate technique todetect scanning reconnaissance is desirable.

SUMMARY OF THE INVENTION

It is believed that most unauthorized entries are done in two stages,namely: reconnaissance and attack. During the reconnaissance stageinformation about computers is gathered. The gathered information isused in the attack stage to disrupt computing activities.

The present invention detects unauthorized users or scanning during thereconnaissance stage and takes corrective action set forth herein. Inparticular, the present invention uses detection of a predefinedsequence of TCP packets to determine that the network is being scanned.

In accordance with the present invention, network traffic is monitoredto detect a triplet (3) of packets flowing between a Source Address (SA)and a Destination Port (DP). The SA can be the 32-bit value of InternetProtocol version 4 (IPv4) or the 128-bit value of Internet Protocolversion 6 (IPv6). The triplet of packets are: SYN, SYN/ACK and RST. Oncethe triplet of packets is detected in the stated sequence, the SAassociated with these packets is identified as that of the hacker. Eventhough these packets are legitimate TCP/IP packets, they are notexpected to be seen in the stated sequence (triplet). Therefore, theirpresence is used to identify the source originating the SYN and RSTpackets and receiving the SYN/ACK packet as the hacker.

The detection mechanism includes a look-up table having a plurality oflocations. Each location is provided with a Source Address (SA) slot inwhich SA is written and a two-bit indicator slot for recording stateinformation. The state information relates to the order in which thetriplets TCP/IP packets SYN, SYN/ACK and RST are seen at the monitoringpoint in the network. In the specific embodiment 00 indicates initial ordefault state; 01 indicates SYN packet;10 indicates SYN/ACK packet; and11 indicates RST packet. The 11 state is the alarm state in which anadministrator is notified that a specific source Address is engaged inreconnaissance. In addition, other preventative measures may be taken.

A look-up device (including a general processor or specializedprocessor, such as an IBM PowerNP network processor, executingalgorithms discussed herein) dynamically adjusts state and/or SAinformation in the table to select and report SA having the 11 statecondition. In addition, the algorithm uses a hash of the four-tuples(SA, DA, SP, DP) of a received packet, called a key, to access the tablefor a SYN or RST packet. A hash of the reflection of the four-tuples(SA, DA, SP, DP) (the reflection being defined in the invention as thefour-tuple (DA, SA, DP, SP) obtained from the original SYN packet (SA,DA, SP, DP)) is used for the SYN/ACK packet.

Further features and advantages of the invention as well as thestructure and operation of various embodiments of the invention aredescribed in detail below with reference to the accompanying figures.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows high level block diagram of a network and in particularsome potential logical locations to position the present invention asdetection mechanism.

FIG. 2 shows high level block diagram of components needed to implementthe present invention.

FIG. 3 shows a flowchart for the DETECTION algorithm of the presentinvention.

FIG. 4 shows a flowchart for the PURGE algorithm by which the memoryused in the present invention is periodically purged.

FIG. 5 shows a flowchart of actions to be taken in responding to anALERT indication.

FIG. 6 shows a flowchart for the DETECTION Algorithm with SA Check, analternative embodiment of the present invention.

FIG. 7 shows a format for TCP/IP packet.

FIG. 8 shows a graphical representation of the TCP Header Format.

FIG. 9 shows a graphical representation of the IP header format.

FIG. 10 shows a graphical representation of the look-up or histogramtable according to the teachings of the present invention.

FIG. 11 shows IP flows of packets exchanged between a scanner and atarget.

DETAILED DESCRIPTION OF EMBODIMENTS

FIG. 7 shows a graphical representation of TCP/IP packet or frame 700which includes a header portion 702 and a payload section 704. TheTCP/IP format is well known in the prior art. Therefore, only theportion of the format which relates to the present invention will bediscussed herein. The portion of the format which is relevant to thepresent invention is the header 702. The header section 702 includesboth a TCP header and IP header.

FIG. 8 shows TCP format 800. The TCP format 800 is well known in theprior art. Therefore, only the portions or fields of the header that areof interest to the present invention will be discussed herein. Therelevant fields of the TCP format are: Source Port (16 bits),Destination Port (16 bits) and control 802. The control 802 is a set ofsix 1-bit flags that can be set to identify the type of packet that isbeing transmitted. The three flags of interest to the present inventionare SYN, RST and SYN/ACK. For example, if the packet is a SYN packetwhich would be generated by a device, on the network, that wishes toestablish a TCP/IP session, the SYN field would be set to a 1. Likewise,if the packet is a SYN/ACK packet which is usually returned as aresponse to a SYN packet the acknowledge (ACK) bit and the SYN bit wouldbe set to 1 and so forth.

FIG. 9 shows format 900 for the IP portion of the header. Similar to theother header format, the IP format is well known in the prior art.Therefore, only the fields in the header that are relevant to thepresent invention will be described. The fields of interest are SourceIP Address (32 bits) and Destination IP Address (32 bits). Theconcatenation SA, DA, SP and DP is known as the four-tuple of the TCPpacket. According to the teachings of the present invention thefour-tuple is fed to a hash function and the hashed values are used aslocation to index into a histogram or look-up structure, to be discussedhereinafter for a SYN packet or RST packet. A reflection of thefour-tuple (SA, DA, SP, DP) is also hashed in part of the invention andthe hashed value used as location index into the look-up structure.

In addition to using the four-tuples and their reflection, the presentinvention monitors the network to detect a sequence of TCP/IP packets.The presence of these three packets might indicate reconnaissanceactivities on the network. The three packets are all TCP/IP packetsoccurring in the following order (D1, D2 and D3):

-   -   D1. The first packet is a TCP SYN packet. Its Source Address        (SA), Destination Address (DA), Source Port (SP), and        Destination Port (DP) are recorded in the four-tuple (SA, DA,        SP, DP).    -   D2. The second packet is a TCP SYN/ACK packet. Its four-tuple        consists of the same field values as the first packet but in the        reflected order (DA, SA, DP, SP).    -   D3. The third packet is a TCP RST packet. Its four-tuple        consists of the same field values of the first packet and in the        same order as in the first packet, that is, (SA, DA, SP, DP).

FIG. 10 shows look-up structure or look-up table or histogram 1000according to the teachings of the present invention. Histogram 1000 isused to track the occurrence and order of the triplets on the network.Histogram 1000 includes section 1002 in which source addresses (SA) ofdevices such as a computer connected to the network are recorded andsection 1004 a 2-bit code field for recording state information isconcatenated to the first section. The code bits are used to tracktriplets that are used to indicate illegal scanning if detected inrelationship to the same source address (SA). In particular, 00represents a default condition; 01 represents that a SYN packet has beenobserved; 10 indicates a SYN/ACK packet has been seen and 11 indicatesan alarm condition; the third of the triplet has been seen. In addition,the SYN and RST packets must originate from the same source address andthe SYN/ACK packet must be a response to the SYN packet from the samesource address. When all three packets have been seen relevant to thesame source address then an alarm indicating that illegal scanning isbeing conducted on the network is initiated.

FIG. 1 shows a highly simplified network 100 in which the detectionsystem 108 of the present invention could be implemented. The Internetor other network 102 connects to Edge devices 104. Each edge devicemight or might not contain an instance of the detection system 108. Edgedevices also connect subnets 106. In turn, two subnets might beconnected by a Bridge device 110. A Bridge device might or might notcontain an instance of the detection system 108. Because Edge devices,subnets and Bridge devices are well known in the prior art, furtherdiscussion of these entities will not be given.

Turning to FIG. 11 for the moment, a graphical representation of twonetwork devices operable positioned in the network of FIG. 1 is shown.The device labeled “scanner” represents the hacker or device which isscanning to gather information from the device labeled “target”. Thedevice labeled “target” includes the detection mechanism of the presentinvention. The flows or packets that are exchanged between the scannerand target are labeled and the direction of the flow is shown by thearrow. In order to gather the information the scanner generates andissues the first of the triplets labeled SYN which is forwarded to thetarget. The target seeing the SYN packet issues a SYN/ACK packet to thescanner which issued the original SYN packet. On receiving the SYN/ACKpacket the scanner would issue the packet labeled RST1. This sequence ofpacket SYN, SYN/ACK and RST1 when detected in the recited sequence bythe detection device in the target would very likely indicate thatmalicious scanning is being conducted in the network. The preventativemeasures set forth herein is practiced once this illegal sequence ofpackets are observed. It should be noted that if the scanner was alegitimate device on the network, then after receiving SYN/ACK from thetarget it would issue the flow labeled Acknowledge (ACK). The flow'sSYN, SYN/ACK and ACK are legitimate TCP handshaking signals that areexchanged in order to establish a legitimate session between stations onthe network. The description so far assumes that the port on the targetthrough which the packets are exchanged are open. However, if a port orports on the target are closed then that port would issue the packetlabeled “RST”.

FIG. 2 shows a block diagram for one embodiment of hardware used indetection system 200 which is labeled 108 in FIG. 1. Random AccessMemory (RAM) 202 stores updates of information as included in thepresent invention. A Central Processing Unit (CPU) 204 has access todata stored at configuration in Read Only Memory (ROM) 206 to implementthe algorithms of the present invention set forth herein and therebyupdate RAM. A Bus 208 is provided for communication of signals among thecomponents. An Input/Out put (I/O) adapter 210 manages signaling to andfrom external devices 212. The I/O adapter 210 might include a generalpurpose computer with monitor observed periodically by a humanadministrator. One of the devices 212 could be a device such as anadapter that detects packets on the network and forwards the packets tothe CPU for further processing according to teachings of the presentinvention.

In an alternate embodiment one of the device 212 could be a specialpurpose computer such as the PowerNP developed and marketed by IBM. ThePowerNP is a network processor that includes an Embedded ProcessorComplex (EPC) containing a plurality of processors that performs thenecessary function to enable routing of a packet within a network. ThePowerNP also includes storage in which the histogram according to theteachings of the present invention could be stored. In addition, thealgorithms described herein could be executed in the EPC. A moredetailed description of the PowerNP is set forth in U.S. Pat. No.6,404,752 which is incorporated herein in its entirety.

The intrusion detection system of the present invention also includesalgorithms which are described below. Before describing the algorithmsseveral features of the invention that are used by the algorithms willbe discussed. Let us defined the four-tuples of any TCP packet as theconcatenation consisting of the IP Source Address (SA) (32-bit or128-bit, depending upon application of the invention to IPv4 or IPv6),the IP Destination Address (DA) (again, 32-bit or 128-bit)we, the 16-bitTCP Source Port (SP), and the 16-bit TCP Destination Port (DP) in theorder: (SA, DA, SP, DP). Let the reflection of the four-tuple (SA, DA,SP, DP) be defined by (DA, SA, DP, SP). Note that the traffic in the twodirections of a TCP session consist precisely of some frames with agiven four-tuple and other frames (in the opposite direction) with afour-tuple that is the reflection of the first four-tuple. Next let usdefine a reflect hash function to be defined as a mathematical map fromthe space of all possible four-tuples (96 bits) to the space of the samenumber of bits. The reflect hash applied to (SA, DA, SP, DP) yields (DA,SA, DP, SP), that is certain source and destination fields of both IPand TCP headers have been interchanged.

In general, a lookup mechanism is any system or method that can recordthe experience of seeing a four-tuple, record anadministratively-determined action for that arriving four-tuple at thefirst time it is encountered, and can reapply the same action for thesame four-tuple (or a related action for the reflection of thefour-tuple) if it is encountered again. A lookup mechanism in apreferred embodiment will also have some mechanism for erasing fromfinite memory the record of those four-tuples and their actions thathave not been encountered for a prolonged interval of time.

A lookup mechanism in the present invention takes the given four-tupleas a key to find a leaf. Each leaf contains the full SA of the key and aState values that is 0=Default, 1, 2, or 3=ALERT (the same State valuescan of course appear in the form of binary numbers, namely, 00, 01, 10,and 11). Thus the input of the lookup is 96 bits and the output of thelookup is 32 bits for SA and 2 bits for State. The present inventionincludes the following DETECTION and PURGE algorithms.

Referring to FIG. 3, a flowchart is shown for the DETECTION algorithmincluded in the invention. As stated herein the algorithm can beefficiently executed in the PowerNP discussed above. In particular thealgorithm is executed on the EPC (Embedded Processor Complex) shown inFIG. 1 of U.S. Pat. No. 6,404,752 and incorporated herein by reference.The algorithm could also be executed on CPU 204. The start 302 of thealgorithm is followed by the arrival of the next packet 304. TheInternet Protocol (IP) packet is tested 306 for being SYN. If it is,then it is further tested 308 for being SYN/ACK packet. If it is, thenthe four-tuple is fed to the reflection hash 310 discussed herein. Thereflected hash value is used in the lookup 312 that is done in look-upstructure 1000 (FIG. 10). The State is tested 314 for being 1. If it is1, then the State is set 316 to 2. Next the system returns to the nextpacket arrival 304. If in 314 the State is not 1, then the State is setto 0, 322. Next the system returns to the next packet arrival 304. In308, if the packet is not SYN/ACK, then the algorithm branches to 320.The four-tuple of the packet leads to creation of an entry in look-upstructure 1000 labeled by the hash value. The entry contains the full SAand the State, which is set to 1. Next the system returns to the nextpacket arrival 304. If in 306 the packet is not SYN, then the packet istested 326 for being RST. If the packet is RST, then the packet is sentto the Lookup 328 that is done in look-up structure 1000 (FIG. 10). Thestate associated with the lookup is tested 330. If the State is 2, thenState is set to 3, the ALERT State 332. This triggers a RESPONSE,described below. Next the system returns to the next packet arrival 304.If in 330 the State is not 2, then the State is set to 0, 342. Next thesystem returns to the next packet arrival 304. If in 326 packet is notRST, then the packet is fed to lookup 340. Then the State is set to 0,342. Next the system returns to the next packet arrival 304.

An alternate representation of the detection algorithm is set forth inTABLE I. The steps 1 through 15 are self-explanatory. Therefore, furtherdescription is not warranted. TABLE I DETECTION Algorithm 1. A packetarrives 2. If the packet is not a TCP SYN packet, then goto 10. 3. Ifthe packet is not SYN/ACK, then goto 8. 4. Feed the four-tuple in thepacket to the reflect hash. 5. Lookup the reflected four-tuple and findits State. 6. If the State is not 1, then set the State = 0 and goto 1.7. Set the State = 2 and goto 1. 8. In the Lookup mechanism, add thefour-tuple with SA and State = 1 in leaf. 9. Goto 1. 10. If the packetis not RST, then goto 14. 11. Lookup the four-tuple. 12. If the State isnot 2, then set State =0 and goto 1. 13. A SYN, SYN/ACK, RST triplet hasbeen observed, set State = 3 and goto 1. 14. Lookup the four-tuple. 15.Record the State as 0 and goto 1.

Referring to FIG. 4, a flowchart 400 is shown for the PURGE algorithmincluded in the invention. The purge algorithm periodically deletes oldinformation from memories in a reasonable time such as 16 seconds thatis larger than typical three-way TCP handshake duration. Typical valuesfor Purge interval would be one or ten seconds. The start 402 of PURGEleads to continuous running of a counter. It is periodically checked 404for its value relative to a threshold. If comparison 406 shows the valueis less than the threshold, then the system returns to await anotherperiodic check. If comparison 406 shows the value is greater than orequal to the threshold, then a certain fraction of memory such as{fraction (1/16)} is completely erased 408. The erasure is done in roundrobin manner among fractions of memory. Next the counter is reset tozero 410. Next the system returns to 404 to await periodic checking ofthe counter value. The counter would be scaled so that the overall Purgeinterval might be about one or ten seconds.

An alternate representation of the Purge Algorithm is shown in TABLE II.The steps 1 through 5 of the Purge Algorithm is self-explanatory.Therefore, further description is not warranted. TABLE II PURGEAlgorithm 1. Periodically check the value of a continuously runningcounter. 2. If the value of the counter is less than a threshold, goto1; else goto 3. 3. Delete a fraction such as {fraction (1/16)} of allmemory entries (occupied slots and leaf SA, State values). 4. Reset thecounter value to zero. 5. Goto 1.

Referring to FIG. 5, flowchart 500 for the RESPONSE to the ALERT (FIG.3) is shown. The invention includes several possible options for aRESPONSE when the ALERT pointer is newly set. RESPONSE starts 502 andawaits an ALERT indication. When an ALERT pointer arrives 504, theinvention determines 506 by configuration whether or not a message is tobe sent to an administrator. If yes, then the message is sent 508. Ineither event, the invention next determines 510 by configuration whetheror not future packets with the same SA, DA, DP are to be blocked. Ifyes, then blocking process is initiated 512. In either event, theinvention next determines 514 by configuration whether or not the flowof future packets with the same SA is to be rate-limited. If yes, thenrate-limiting process is initiated 516. In either event, the inventionnext determines 518 by configuration whether or not some additionalresponse measure is to be taken. If yes, then additional measure isinitiated 520. In either event, the system returns 504 to await the nextALERT indication.

Referring to FIG. 6, a flowchart 600 is shown for the DETECTIONAlgorithm with SA Check, as may be used in an alternative embodiment ofthe present invention to reduce the likelihood of false positive ALERTs.In this alternate embodiment the lookup mechanism includes a directtable with each location of the table regarded as a leaf. The start 602of the algorithm is followed by the arrival of the next packet 604. Thepacket is tested 606 to see if it is a SYN packet. If it is, then it isfurther tested 608 for being SYN/ACK. If it is, then the four-tuple isfed to the reflection hash 610. The reflected hash value is used in theLookup 612. To provide look-up 612 the reflected hashed value is used asan index to access a location in the look-up table in FIG. 10. The keySA and the leaf or location SA are compared 614. If they are not equal,then delete the slot entry and leaf 620. Next the system returns to thenext packet arrival 604. If in 614 the key SA and the leaf SA are equal,then the State is compared to 1, 616. If the State is 1, then the Stateis set 618 to 2. Next the system returns to the next packet arrival 604.If in 616 the State is not 1, then the State is set to 0, 622. Next thesystem returns to the next packet arrival 604. In 608, if the packet isnot SYN/ACK, then the algorithm branches to 624. The four-tuple of thepacket leads to creation of a leaf labeled by the hash value. The leafcontains the full SA and the State, which is set to 1, 624. Next thesystem returns to the next packet arrival 604. If in 606 the packet isnot SYN, then the packet is tested 626 for being RST. If the packet isRST, then the packet is sent to the Lookup 628. The Lookup compares 630the key SA and the leaf SA. If they are not equal, then delete the slotentry and leaf 632. Next the system returns to the next packet arrival604. If the key SA and the leaf SA are equal, then the State of thepacket is compared to 2, 634. If the State is 2, then State is set to 3,the ALERT State 636. This triggers a RESPONSE, described herein. Nextthe system returns to the next packet arrival 604. If in 634 the Stateis not 2, then the State is set to 0, 638. Next the system returns tothe next packet arrival 604. If in 626 packet is not RST, then thepacket is fed to Lookup 640. Next the key SA and the leaf SA arecompared 642. If they are equal, then the State is set to 0, 638. Nextthe system returns to the next packet arrival 604. If in 642 the key SAand the leaf SA are not equal, then delete the slot entry and leaf 644.Next the system returns to the next packet arrival 604. This concludesthe detailed description of the present invention.

The foregoing is illustrative of the present invention and is not to beconstrued as limiting thereof. Although exemplary embodiments of thisinvention have been described, those skilled in the art will readilyappreciate that many modifications are possible in the exemplaryembodiments without materially departing from the novel teaching andadvanced use of this invention. Accordingly, all such modifications areintended to be included within the scope of this invention as defined inthe claims.

1. A method to detect unauthorized reconnaissance or scanning of acomputer network comprising the acts of: (a) monitoring communicationswithin the network; (b) detecting predefined sequence of packets flowingwithin said communications; and (c) issuing an alert indicatingunauthorized scanning if the predefined sequence of packets is detected.2. The method of claim 1 wherein the monitoring is done within aselected network device.
 3. The method of claim 1 or claim 2 wherein thedetecting act further includes the acts of providing a histogram inwhich states of the predefined sequence of packets are maintained; anddynamically updating said histogram as selected ones of the predefinedsequence of packet is detected.
 4. The method of claim 3 wherein thehistogram includes a table partitioned into a first field in whichsource addresses of network devices are kept; and a second field,concatenated to the first field, in which a code representing states inwhich packets in the predefined sequence of packets are detected.
 5. Themethod of claim 1 wherein the predefined sequence of packets is beingselected from packets of the TCP/IP protocol set.
 6. The method of claim5 wherein the TCP/IP protocol set includes a TCP SYN packet, a TCPSYN/ACK packet and TCP RST packet.
 7. The method of claim 6 wherein adevice at a same source address generates the TCP SYN packet, the TCPRST packet and received the TCP SYN/ACK packet.
 8. The method of claim 1wherein the issuing act further includes the acts of sending a messageto an administrator.
 9. The method of claim 1 wherein the issuing actfurther includes the act of blocking future packets from networkcomputers having predefined characteristics.
 10. The method of claim 1wherein the issuing act further includes the act of rate-limiting flowsof packets from network devices having predefined characteristics. 11.An intrusion detection system including: a table containing at least onecharacteristic identifying network devices and a set of state codecorresponding to a sequence in which a predefined set of packets areobserved; and a controller operable to examine received packets, toadjust the state code and to generate an alert if one of the set ofstate code reaches a predefined value.
 12. The intrusion detectionsystem of claim 11 wherein the at least one characteristic includes aSource Address.
 13. The intrusion detection system of claim 11 whereinthe set of state code corresponding to the sequence of predefinedpackets includes 00 representing a default, 01 representing a first ofthe sequence of predefined packets, 10 representing a second of thesequence of predefined packets and 11 representing last of the sequenceof predefined packets.
 14. The intrusion detection system of claim 11wherein the predefined set of packets are selected from TCP/IP protocolset.
 15. The intrusion detection system of claim 14 wherein selectedpackets from the TCP/IP protocol set includes SYN, SYN/ACK and RST. 16.The intrusion detection system of claim 11 wherein the controllerincludes a programmed general purpose computer.
 17. The intrusiondetection system of claim 11 wherein the controller includes aprogrammed specialized computer.
 18. The intrusion detection system ofclaim 17 wherein the specialized computer includes a network processor.19. The intrusion detection system of claim 17 wherein the predefinedvalue includes “11”.
 20. A program product including: a medium; and acomputer program recorded on said medium, said computer programincluding a first set of instructions that examine packets to detect apredefined sequence of packets; and a second set of instructions thatgenerate an alert if the predefined sequence of packets are detected.21. The program product of claim 20 further including a third set ofinstructions responsive to the alert to generate a message notifying anoperator of an occurrence of an event.
 22. The program product of claim21 wherein the event indicates unauthorized scanning of a deviceexecuting said program product.
 23. The program product of claim 20wherein the predefined sequence of packets are selected from TCP/IPprotocol set.
 24. The program product of claim 20 wherein the predefinedsequence of packets include SYN, SYN/ACK and RST.
 25. A method to deployan intrusion detection system on a network device including acts of:providing an algorithm to detect a predefined set of packets; andgenerating an alert if the predefined set of packets is detected. 26.The method of claim 25 further including the act of providing a table torecord at least one characteristic to identify network devices and statecode corresponding to a sequence in which the predefined set of packetsare received.
 27. The method of claim 25 wherein the predefined set ofpackets is being selected from packets of the TCP/IP protocol set. 28.The method of claim 25 wherein the predefined set of packets includesSYN, SYN/ACK and RST.
 29. The method of claim 27 wherein the packets ofthe TCP/IP protocol set include SYN, SYN/ACK and RST.
 30. A method toprotect devices from malicious attacks launched on a computer networkincluding the acts of: providing on a device to be protected a softwareprogram that monitors packets; and issuing an alert if a predefined setof packets are detected.
 31. The method of claim 30 wherein thepredefined set of packets are detected in a predefined sequence.
 32. Themethod of claim 31 wherein the predefined sequence includes a SYNpacket, a SYN/ACK packet and an RST packet provided in the order ofrecitation.
 33. The method of claim 32 wherein a single Source Address(SA) issues the SYN and RST packets and receives the SYN/ACK packet. 34.The method of claim 30 wherein the software program includes a tablecontaining codes whose values represent detection of one of thepredefined set of packets.
 35. The method of claim 34 wherein the tablefurther includes at least one source Address (SA) associated with atleast one of the codes.